{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata — refreshed continuously.","feed_url":"https://feed.craftedsignal.io/tags/seh-overflow/","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cves":[{"cvss":8.4,"id":"CVE-2018-25301"}],"_cs_exploited":false,"_cs_products":["Easy MPEG to DVD Burner 1.7.11"],"_cs_severities":["high"],"_cs_tags":["buffer overflow","seh overflow","cve-2018-25301"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003eEasy MPEG to DVD Burner 1.7.11 is vulnerable to a structured exception handling (SEH) local buffer overflow. This vulnerability allows a local attacker to execute arbitrary code on a targeted system. The vulnerability can be triggered by supplying a malicious username string to the application. The attacker exploits this vulnerability by overwriting the SEH handler, redirecting execution flow to attacker-controlled shellcode, which can then execute arbitrary commands. This vulnerability exists due to insufficient bounds checking when handling user-supplied data, specifically the username. Successful exploitation allows for arbitrary code execution within the context of the application.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eThe attacker crafts a malicious input string designed to trigger a buffer overflow in Easy MPEG to DVD Burner 1.7.11.\u003c/li\u003e\n\u003cli\u003eThe malicious string includes junk data to fill the buffer, SEH chain pointers to control the exception handling process, and shellcode containing the attacker\u0026rsquo;s desired commands.\u003c/li\u003e\n\u003cli\u003eThe attacker provides the crafted input as a username during application execution, likely via a configuration file or command-line argument.\u003c/li\u003e\n\u003cli\u003eThe application\u0026rsquo;s vulnerable code attempts to copy the attacker-controlled username into a fixed-size buffer without proper bounds checking.\u003c/li\u003e\n\u003cli\u003eThe buffer overflows, overwriting the SEH handler with the attacker-controlled SEH chain pointers.\u003c/li\u003e\n\u003cli\u003eAn exception is triggered within the application due to the buffer overflow, causing the SEH handler to be invoked.\u003c/li\u003e\n\u003cli\u003eThe overwritten SEH handler redirects execution to the attacker\u0026rsquo;s shellcode.\u003c/li\u003e\n\u003cli\u003eThe shellcode executes arbitrary commands, such as launching calc.exe, giving the attacker control over the system.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of this vulnerability allows a local attacker to execute arbitrary code with the privileges of the user running Easy MPEG to DVD Burner 1.7.11. This can lead to complete system compromise, data theft, or denial of service. While there is no mention of the number of victims or specific sectors targeted in the provided document, the high CVSS score (8.4) indicates a significant risk. The impact would allow lateral movement and further compromise.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eBlock execution of Easy MPEG to DVD Burner 1.7.11 if it is not a required application.\u003c/li\u003e\n\u003cli\u003eMonitor process creations for unusual processes originating from Easy MPEG to DVD Burner using the process creation rule below.\u003c/li\u003e\n\u003cli\u003eMonitor for unexpected process execution, such as calc.exe (mentioned in the advisory), following the execution of Easy MPEG to DVD Burner 1.7.11.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-04-29T20:16:25Z","date_published":"2026-04-29T20:16:25Z","id":"/briefs/2026-04-easy-mpeg-seh-overflow/","summary":"Easy MPEG to DVD Burner 1.7.11 contains a structured exception handling (SEH) local buffer overflow vulnerability that allows local attackers to execute arbitrary code by supplying a malicious username string.","title":"Easy MPEG to DVD Burner 1.7.11 SEH Buffer Overflow","url":"https://feed.craftedsignal.io/briefs/2026-04-easy-mpeg-seh-overflow/"},{"_cs_actors":[],"_cs_cves":[{"cvss":8.4,"id":"CVE-2019-25670"}],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["high"],"_cs_tags":["cve-2019-25670","buffer-overflow","seh-overflow","windows"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003eRiver Past Video Cleaner version 7.6.3 is vulnerable to a structured exception handler (SEH) buffer overflow. This vulnerability allows a local attacker to execute arbitrary code on a vulnerable system. The attack involves crafting a malicious input string specifically designed to exploit the way the application handles exceptions related to the Lame_enc.dll library. This vulnerability can be exploited by an unauthenticated, local attacker. A successful exploit results in arbitrary code execution in the context of the application. Defenders should implement detection measures to identify malicious processes spawned by River Past Video Cleaner, or unexpected registry modifications.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eA local attacker crafts a malicious input file designed to trigger the buffer overflow.\u003c/li\u003e\n\u003cli\u003eThe attacker places the crafted malicious file in a location accessible to River Past Video Cleaner.\u003c/li\u003e\n\u003cli\u003eThe attacker executes River Past Video Cleaner and instructs it to process the malicious file.\u003c/li\u003e\n\u003cli\u003eRiver Past Video Cleaner attempts to load or process the Lame_enc.dll library.\u003c/li\u003e\n\u003cli\u003eDue to the malicious input, a buffer overflow occurs within the structured exception handler of Lame_enc.dll. This overflow overwrites the saved SEH record on the stack.\u003c/li\u003e\n\u003cli\u003eWhen an exception is triggered (as a result of the overflow), the overwritten SEH record is used.\u003c/li\u003e\n\u003cli\u003eThe overwritten SEH record redirects execution to attacker-controlled shellcode.\u003c/li\u003e\n\u003cli\u003eThe attacker\u0026rsquo;s shellcode executes, potentially granting the attacker arbitrary code execution within the context of the River Past Video Cleaner process.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of this vulnerability allows a local attacker to execute arbitrary code on the victim\u0026rsquo;s machine. This could lead to complete system compromise, data theft, or installation of malware. The vulnerability is specific to River Past Video Cleaner 7.6.3. While specific victim counts are unavailable, the potential impact on any system running the vulnerable software is significant.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eMonitor process creations where the parent process is \u003ccode\u003eRiverPastVideoCleaner.exe\u003c/code\u003e, and the child process is unusual or suspicious (e.g., \u003ccode\u003ecmd.exe\u003c/code\u003e, \u003ccode\u003epowershell.exe\u003c/code\u003e) using process creation logs (logsource: process_creation). Deploy the Sigma rule provided to detect potentially malicious child processes.\u003c/li\u003e\n\u003cli\u003eImplement application control policies to prevent the execution of unsigned or untrusted executables in directories associated with River Past Video Cleaner.\u003c/li\u003e\n\u003cli\u003eMonitor for unexpected registry modifications performed by \u003ccode\u003eRiverPastVideoCleaner.exe\u003c/code\u003e (logsource: registry_set). The provided Sigma rule detects potentially malicious registry modifications.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-04-05T21:16:44Z","date_published":"2026-04-05T21:16:44Z","id":"/briefs/2026-04-river-past-seh-overflow/","summary":"River Past Video Cleaner 7.6.3 contains a structured exception handler buffer overflow vulnerability allowing local attackers to execute arbitrary code by providing a malicious string in the Lame_enc.dll field.","title":"River Past Video Cleaner 7.6.3 SEH Buffer Overflow Vulnerability","url":"https://feed.craftedsignal.io/briefs/2026-04-river-past-seh-overflow/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["high"],"_cs_tags":["buffer-overflow","seh-overflow","local-privilege-escalation","windows"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003eFlexHEX 2.71 is susceptible to a local buffer overflow vulnerability (CVE-2019-25627) found within the Stream Name field. This flaw enables a local attacker to execute arbitrary code by exploiting a structured exception handler (SEH) overflow. The attack involves crafting a malicious text file containing precisely aligned shellcode and SEH chain pointers. By pasting this crafted content into the Stream Name dialog within FlexHEX, the attacker can trigger the SEH overflow and execute commands…\u003c/p\u003e\n","date_modified":"2026-03-24T12:16:02Z","date_published":"2026-03-24T12:16:02Z","id":"/briefs/2026-03-flexhex-overflow/","summary":"FlexHEX 2.71 is vulnerable to a local buffer overflow in the Stream Name field, allowing local attackers to execute arbitrary code via a structured exception handler (SEH) overflow.","title":"FlexHEX 2.71 Local Buffer Overflow Vulnerability (CVE-2019-25627)","url":"https://feed.craftedsignal.io/briefs/2026-03-flexhex-overflow/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["critical"],"_cs_tags":["cve-2019-25628","buffer-overflow","seh-overflow"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003eDownload Accelerator Plus (DAP) version 10.0.6.0 is susceptible to a critical structured exception handler (SEH) buffer overflow vulnerability, identified as CVE-2019-25628. This vulnerability allows remote attackers to achieve arbitrary code execution by crafting malicious URLs. The attack leverages the application\u0026rsquo;s web page import functionality to introduce the malicious URL. Successful exploitation allows attackers to overwrite SEH pointers, redirecting execution flow to attacker-controlled shellcode. This vulnerability poses a significant risk to users of the affected DAP version, potentially leading to complete system compromise. The vulnerability was reported and analyzed by VulnCheck.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAttacker crafts a malicious URL containing overflowing buffer data designed to overwrite the SEH pointers.\u003c/li\u003e\n\u003cli\u003eThe victim uses the Download Accelerator Plus 10.0.6.0 application.\u003c/li\u003e\n\u003cli\u003eThe attacker delivers the malicious URL to the victim via social engineering or other means.\u003c/li\u003e\n\u003cli\u003eThe victim imports the malicious URL through the application\u0026rsquo;s web page import functionality.\u003c/li\u003e\n\u003cli\u003eThe application attempts to process the crafted URL, triggering the buffer overflow.\u003c/li\u003e\n\u003cli\u003eThe overflowing buffer overwrites the structured exception handler (SEH) record on the stack.\u003c/li\u003e\n\u003cli\u003eWhen an exception occurs, the application attempts to use the overwritten SEH pointer.\u003c/li\u003e\n\u003cli\u003eControl is transferred to the attacker-controlled shellcode embedded in the malicious URL, leading to arbitrary code execution.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of this vulnerability (CVE-2019-25628) allows a remote attacker to execute arbitrary code on the victim\u0026rsquo;s system. Given the critical severity score (CVSS v3.1: 9.8), the impact is significant. Affected systems are completely compromised, allowing the attacker to install malware, steal sensitive information, or pivot to other systems on the network. The number of potential victims is unknown, but all users of Download Accelerator Plus 10.0.6.0 are at risk.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDiscontinue the use of Download Accelerator Plus DAP 10.0.6.0 due to the unpatched SEH buffer overflow vulnerability (CVE-2019-25628).\u003c/li\u003e\n\u003cli\u003eMonitor network traffic for connections to the URLs associated with the vulnerability (e.g., \u003ccode\u003ehttp://www.speedbit.com/dap/\u003c/code\u003e, \u003ccode\u003ehttps://www.exploit-db.com/exploits/46673\u003c/code\u003e). Block these domains at the network perimeter.\u003c/li\u003e\n\u003cli\u003eImplement a network detection rule to identify HTTP requests containing unusually long URLs that might be exploiting the buffer overflow. This will require analyzing webserver or proxy logs.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-03-24T12:16:02Z","date_published":"2026-03-24T12:16:02Z","id":"/briefs/2026-03-dap-seh-overflow/","summary":"Download Accelerator Plus DAP 10.0.6.0 is vulnerable to a structured exception handler buffer overflow, allowing remote attackers to execute arbitrary code via malicious crafted URLs by overwriting SEH pointers and executing embedded shellcode.","title":"Download Accelerator Plus (DAP) SEH Buffer Overflow Vulnerability","url":"https://feed.craftedsignal.io/briefs/2026-03-dap-seh-overflow/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["critical"],"_cs_tags":["cve-2019-25603","seh-overflow","buffer-overflow","code-execution"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003eTuneClone 2.20 is susceptible to a structured exception handler (SEH) buffer overflow vulnerability identified as CVE-2019-25603. A local attacker can exploit this vulnerability by providing a specially crafted license code string to the application. The vulnerability exists due to insufficient bounds checking when processing the license code, allowing an attacker to overwrite the SEH chain. The attacker supplied input allows for arbitrary code execution by overwriting exception handlers…\u003c/p\u003e\n","date_modified":"2026-03-23T12:00:00Z","date_published":"2026-03-23T12:00:00Z","id":"/briefs/2026-03-tuneclone-seh-overflow/","summary":"TuneClone 2.20 is vulnerable to a structured exception handler (SEH) buffer overflow, allowing local attackers to execute arbitrary code by supplying a malicious license code string via the application's license registration feature.","title":"TuneClone 2.20 SEH Buffer Overflow Vulnerability (CVE-2019-25603)","url":"https://feed.craftedsignal.io/briefs/2026-03-tuneclone-seh-overflow/"}],"language":"en","title":"CraftedSignal Threat Feed — Seh Overflow","version":"https://jsonfeed.org/version/1.1"}